Hello, I am running OpenSSL 0.9.8g 19 Oct 2007. I have a certificate for which I want to check OCSP response. Root chain is added to root list. OpenSSL says all of it is OK: Chain has three level architecture - Root which Signs OCSP & Policy, Policy which signs issuing CA which signs subscriber CA.
$ openssl verify ksmelkovs.pem # Cert to verify ksmelkovs.pem: OK $ openssl verify tssp.pem # OCSP responder cert tssp.pem: OK $ openssl verify cacers/*vas*rca*pem cacers/vas latvijas pasts ssi(rca).pem: OK $ x509 <ksmelkovs.pem -text |grep ocsp OCSP - URI:http://ocsp.e-me.lv/responder.eme $ x509 <ksmelkovs.pem -text |grep Issue Issuer: C=LV, O=VAS Latvijas Pasts - Vien.reg.Nr.40003052790, OU=Sertifikacijas pakalpojumi, CN=VAS Latvijas Pasts SI(CA2) $ ocsp -issuer cacers/*ca2*pem -cert ksmelkovs.pem -url http://ocsp.e-me.lv/responder.eme *Response Verify Failure 5083:error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted:ocsp_vfy.c:148: *ksmelkovs.pem: good This Update: Mar 23 11:29:33 2010 GMT konr...@konrads-laptop:~/Sertifikati$ openssl verify ksmelkovs.pem ksmelkovs.pem: OK Copies of these certs are uploaded here: http://drop.io/lykqq21# The 64k USD question: If I have entire trust chain in trusted list, then why would it complain? -- Konrads Smelkovs Applied IT sorcery.